Virtualization Technology News and Information
Onapsis 2023 Predictions: Business-Critical Application Security Will Become Increasingly Essential


Industry executives and experts share their predictions for 2023.  Read them in this 15th annual series exclusive.

Business-Critical Application Security Will Become Increasingly Essential

By JP Perez-Etchegoyen, CTO and Cofounder of Onapsis

From critical vulnerabilities to ongoing ransomware attacks, 2022 was yet another catastrophic year for cybersecurity. However, looking back on the cyber events that took place this past year can also help us understand how hackers are evolving their techniques, and what cyber investments organizations need to start or continue making as a result. Let's take a look at a few of our top cybersecurity predictions for 2023:

Protecting ERP and business applications will be the fastest-growing application security category

ERP systems, such as SAP and Oracle applications, run essential business functions and contain an organization's most valuable data, from HR information to company financials. Despite their importance, security teams often lack complete visibility into their ERP threat landscape and are unable to detect hidden vulnerabilities and suspicious activity. This has become increasingly dangerous, as attacks against business-critical applications are quickly accelerating. SAP and Onapsis recently found evidence of more than 300 successful exploitation attempts against unsecured SAP applications, pointing to cybercriminals' clear understanding of ERP applications.

In the coming year, enterprises will ramp up the deployment of business-critical application security tools as the number of attacks against these systems continues to grow exponentially. With the general application security market expected to reach $22.54 billion by 2028, up from $6.95 billion in 2021, it's evident that organizations are already recognizing the increasing need to protect their enterprise crown jewels.

The utilities sector will become increasingly prone to attack

Previous cyberattacks against critical infrastructure have proven to show the far-reaching, real-world impact they can cause, from Colonial Pipeline to the recent U.K. water treatment plant ransomware attack. While there have been significant steps forward to protect utilities organizations from attacks, such as the Environmental Protection Agency's plan to secure water systems and several enforced reporting requirements in 2022, critical cybersecurity gaps remain in the sector. 

In 2023, attacks against utilities will accelerate and organizations that aren't prepared may face far more destruction than the Colonial Pipeline attack aftermath. This will put more pressure on the government to increase funding toward smaller utilities companies that may not have the resources to defend themselves, as well as push these organizations to develop more robust cybersecurity programs.

Attackers will seek out the next Log4j vulnerability and will likely become successful

The impact of the Log4j flaw has been widespread and far-reaching, with countless organizations still reeling from its massive ripple effect. Log4j has underscored the level of difficulty in patching vulnerabilities within commonly used libraries, as almost every vendor within the software supply chain has been responsible for fixing it. Attackers have become well aware of this and have continued taking advantage of unpatched Log4j vulnerabilities. Just a few weeks ago, we saw North Korean nation-state threat actors exploiting Log4shell to hack energy providers and conduct espionage campaigns. 

In 2023, we'll not only continue to see the breadth of Log4j's exposure increase, but we'll also see threat actors focusing more on exploiting open-source libraries. To mitigate the impact of a vulnerability as critical as Log4shell, organizations must adopt a risk-based vulnerability management program that can help them prioritize patching the vulnerabilities that are most at-risk.

During a time of economic downturn, organizations will go back to security basics

Given the current period of economic uncertainty, organizations will continue cutting their budgets and putting their dollars into resources that are most critical to their business. While strengthening their cybersecurity programs will be a priority in the coming year, organizations will begin rethinking the types of tools they are investing in. In 2023, we'll see organizations lean more toward fundamental security technologies to protect their business assets. For instance, business-critical application security tools, such as vulnerability management platforms specifically designed for enterprise resource planning (ERP) applications, will help defend valuable data that enables an organization to successfully operate.

The exploitation of known vulnerabilities will become a leading attack vector

While threat actors are constantly on the hunt for new attack vectors, they tend to pay particularly close attention to known vulnerabilities, which provide them with an easy entry point into an enterprise's network. Research by the Onapsis Research Labs, SAP, and CISA shows that it takes the average organization 97 days to apply a patch, from the time a flaw is identified to the time a patch has been applied, tested, and deployed. At the same time, it takes less than 72 hours for cybercriminals to exploit ERP vulnerabilities after a patch is released.

Next year, we will continue seeing an increase in exploits against known vulnerabilities, especially those within web-facing applications, as those tend to be very lucrative assets for cybercriminals. Organizations must prepare by equipping themselves with automated vulnerability management tools that can provide them with complete visibility over their IT ecosystem and help them understand each vulnerability's level of criticality.

Threat actors will shift away from ransomware and opt for more discreet methods to monetize

Ransomware has historically been the primary method of monetizing for threat actors. However, research has revealed a decrease in both ransomware attacks and ransomware payments this past year, suggesting that cybercriminals are evolving their strategies. Rather than blatantly threatening organizations, threat actors will begin leveraging more discreet techniques to make a profit. Threat groups like Elephant Beetle have proven that cybercriminals can enter business-critical applications and remain undetected for months, even years, while silently siphoning off tens of millions of dollars.

While ransomware will still be a prominent cyber threat in the coming year, we will see more malicious groups directly targeting ERP applications. Organizations must develop cybersecurity protocols specifically around their business applications to ensure their most critical resources and valuable data are secure.

Cybersecurity in the Year Ahead

If we've learned anything about the cybersecurity landscape, it's that it is incredibly unprecedented. As such, the above are only a few of the many trends we can expect to see in 2023. One thing is certain - organizations must be prepared for anything that comes their way.




As CTO, JP leads the innovation team that keeps Onapsis on the cutting edge of the Business-Critical Application Security market, addressing some of the most complex problems that organizations are currently facing while managing and securing their ERP landscapes. JP helps manage the development of new products as well as support the ERP cybersecurity research efforts that have garnered critical acclaim for the Onapsis Research Labs.

JP is regularly invited to speak and host trainings at global industry conferences, including Black Hat, HackInTheBox, AppSec, Troopers, Oracle OpenWorld and SAP TechEd, and is a founding member of the Cloud Security Alliance (CSA) Cloud ERP Working Group. Over his professional career, JP has led many Information Security consultancy projects for some of the world's biggest companies around the globe in the fields of penetration and web application testing, vulnerability research, cybersecurity infosec auditing/standards, vulnerability research and more.

Published Wednesday, January 11, 2023 7:37 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2023>